News of a hack of the systems of VTech came as a surprise only in that a company of this type hasn’t been hit earlier. The data security breach is raising interesting questions regarding the steps a company located outside of the United States must take when accessing markets in this country.
VTech Data Breach
VTech is a company based in Hong Kong. It produces online games, eBooks, and educational products. The company is behind hundreds of popular products, but unknown by name to most consumers.
On November 14, 2015, VTech was allegedly hacked by third parties. These parties gained access to the accounts of five million adults and six million children according to the company. The information accessed included names, email addresses, passwords, mailing addresses, and download history. It is not clear if the information also included personal photos and logs uploaded by users to their accounts.
VTech is indicating hackers failed to capture the financial information of any users. Third party processors are used by the company to handle transactions, and the security of these third parties was apparently not breached.
Given VTech directs many of its products to children under 13, politicians and media commentators have been asking whether the company is COPPA compliant. VTech has provided no answer with the silence suggesting a compliance failure. Ultimately, this raises two key points for consideration.
The first point is companies wishing to tap the lucrative online markets of the United States must comply with the laws of the country. Failure to do so opens companies up to significant financial penalties as well as the risk of being barred from the markets. In this case, VTech faces fines of up to $16,000 per child under 13 who had private information compromised through the hack. With the information of six million children hacked, the settlement may easily represent the largest COPPA penalty ever if, in fact, the company was not COPPA compliant.
The second point worth raising is the culpability of the Federal Trade Commission. The FTC has repudiated its obligation to enforce COPPA for the most part, which leads to lax compliance by companies. If the FTC met its COPPA enforcement obligations, companies operating online would be far more likely to comply, and the regulatory environment surrounding the law would be effective instead of something closer to a bad joke.
Perhaps the most aggravating aspect of the VTech case is the predictability of what comes next. The FTC will file an enforcement action, and settle with the company quickly. The Commission will then issue press releases patting itself on the back for enforcing COPPA despite the fact the FTC was so late to the party it likely learned VTech was collecting the personal information of millions of children under 13 while skimming Google news for evil weight loss ads the Commission can prosecute.
Did VTech violate COPPA? The answer is not yet clear. What is clear, however, is companies tapping the consumer markets of the United States must comply with relevant U.S. laws or face the legal crisis now planted squarely in the lap of the management of VTech.
Richard A. Chapo, Esq.